Linux, Samba, XFS, ACL and Windows Authentication HowTo

In this document I outline how I set up a test Linux box with a NetBIOS name of \\MYNAME to
act as a fileserver on the MYDOMAIN Windows domain. The PDC is running NT4 and holds
all account information. The Linux box uses the domain account information off the PDC
and has no Windows user accounts on it. This makes adding this NAS type setup super simple
as a prebuild black-box Windows solution (Read: "Get Rich Quick!").

The Linux box has XFS and Samba configured to present ACL's to the Windows clients.

I assume you know how to build your own kernel and patch it up for XFS, configure and
install it.

You can use Ext3, JFS or Reiserfs as well for snapshots. Read below for more

Linux box info:

Windows box info: As a somewhat useful extension, you can do Micro Backups throughout the day which is
reason enough to implement this.

Build a kernel with ACL support:
make menuconfig
File systems  --->
	<M> XFS filesystem support
	    [*]   ACL support

Remove the existing Samba, build a new one with acl support and configure it:
rpm -e samba redhat-config-samba samba-client samba-common
rpm -Uvh acl-2.2.7-0.i386.rpm libacl-2.2.7-0.i386.rpm libacl-devel-2.2.7-0.i386.rpm
cd /root/Build/
gtar -xvjf ~/samba-3.0.0.tar.bz2
cd /root/Build/samba-3.0.0/source/
./configure --with-acl-support --prefix=/opt/samba/3.0.0
make install
cp /root/Build/samba-3.0.0/source/nsswitch/ /lib
ln -s /lib/ /lib/
cd /opt/samba/
ln -s 3.0.0 P
vi /opt/samba/P/lib/smb.conf
	   workgroup = MYDOMAIN
	   netbios name = MYNAME
	   encrypt passwords = yes
	   security = domain
	   hosts allow = 192.168.1 127.
	   map acl inherit = yes
	   log file = /opt/samba/P/var/log.%m
	   max log size = 50
	   nt acl support = yes
	   server string = Samba Server
	   winbind uid = 10000-20000
	   winbind gid = 10000-20000
	   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	   dns proxy = no 
	   comment = A Shared Drive
	   browseable = yes
	   writable = yes
	   guest ok = no
	   path = /var/net/MyShare

Configure Linux system to also authenticate via winbind:
vi /etc/nsswitch.conf 
	# passwd:     files
	passwd:     files winbind
	# group:      files
	group:      files winbind

Start Samba:
/opt/samba/P/sbin/smbd -D
/opt/samba/P/sbin/nmbd -D
smbpasswd -j DOMAIN -r -U administrator

/opt/samba/P/bin/net join -U Administrator
/opt/samba/P/bin/net join -U Administrator --server=MYPDC --workgroup=MYDOMAIN --ipaddress=


Punch a hole in the firewall for the local subnet:
vi /etc/sysconfig/iptables
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s --dport 137 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s --dport 138 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s --dport 139 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s --dport 445 --syn -j ACCEPT
service iptables start

Create the shared folder:
mkdir -p /var/net/MyShare
chmod 770 /var/net
chmod 770 /var/net/MyShare
setfacl -m g:MYDOMAIN\\MYDOMAIN:rwx /var/net
setfacl -m g:MYDOMAIN\\MYDOMAIN:rwx /var/net/MyShare

Optional diagnostics:
/opt/samba/P/bin/wbinfo -u
/opt/samba/P/bin/wbinfo -g
getent passwd
getent group

Micro Backups

Users create files, work on them throughout the day and then accidentally delete or corrupt them
before they get committed to tape at the end of the day. The idea here is to take snapshots of a
work drive every 30 minutes and present those snapshots on another share with read only access.

Random thoughts
This method of snapshot isn't the most efficient method of micro-backup as the altered block gets copied to multiple snapshots. Some sort of circular buffer in the LVM with a timestamp would mean that we could view the disk at nominated point in time, up to the size of the buffer. I'm not too sure what XFS would think of this as I quiesce the disks before snapshotting at the moment. Anyway, all this is the stuff is potential tomorrow-ware.
Of course, this method of snapshot and mount works fine for Linux/Unix filesystems as well but they tend to not corrupt their files as often. :)
Note: A snapshot as used by LVM under Linux is an frozen, point in time instantaneous capture of a filesystem. As a block is altered on the "real" filesystem, before that block is written over, it is copied off to the LVM snapshot layer (Copy On Write or COW). If you've used UML (UserMode Linux) you'll know what I mean. This COW has at cost though.

This example details doing a snapshot every 30 minutes between 07:00 - 18:30 of
\\MYNAME\MyShare\ and storing the snapshots in \\MYNAME\MyShareBKUP\0700\ through
\\MYNAME\MyShareBKUP\1830\ which are read-only. The backups auto-rotate, anything older
than this should be on tape.

A script to do snapshots every half hour:
#! /bin/sh

# Snapshots source: /dev/Disks/$SHARE/
# To destination: /var/net/${SHARE}BKUP/HHMM/ where HH=Hour, MM=Minutes
# Crontab: 0,30 7-18 * * * /root/Bin/
# Author: Clark Mills Fri Oct 17 09:17:38 NZDT 2003
export PATH=/sbin:/bin:/usr/local/bin/
MINUTE=`date +%M`
HOUR=`date +%H`
if [ "$MINUTE" -gt 15 -a "$MINUTE" -lt 45 ]; then
umount /var/net/${SHARE}/${HOUR}${MINUTE}
lvremove -f /dev/Disks/${SHARE}_bk${HOUR}${MINUTE}
xfs_freeze -f /var/net/${SHARE}
lvcreate -L500M --snapshot --name ${SHARE}_bk${HOUR}${MINUTE} /dev/Disks/${SHARE}
xfs_freeze -u /var/net/${SHARE}
mount -o ro,nouuid /dev/Disks/${SHARE}_bk${HOUR}${MINUTE} /var/net/${SHARE}BKUP/${HOUR}${MINUTE}

Create a share in Samba for the snapshot:
vi /opt/samba/P/lib/smb.conf
	   comment = Timed Backup of MyShare Drive
	   browseable = yes
	   writable = no
	   guest ok = no
	   path = /var/net/MyShareBKUP

How the \\MYNAME\MyShare and \\MYNAME\MySharedBKUP tree looks in Windows Explorer:

Under each timed folder, eg. \\MYNAME\MyShareBKUP\0700, you see the same tree as the
main read/write share \\MYNAME\MyShare. The difference is that the content is captured
as read-only for 24 hours or until the server is shutdown (Linux doesn't crash :)

Odd Notes

From:	 Nic Bellamy
Subject: RE: [nzlug] Samba Linux w ACL & 30 minute backups
Date:	 20 Oct 2003 16:30:23 +1300
...perhaps mention the nifty snapshot method can also be used with filesystems other than XFS (such as ext3/reiserfs), but you need to add the VFS-Lock patch to your kernel (it's found within the LVM source tarball).1

1Yes, you can do it without the patch too - if you feel like unmounting the filesystem while you do it. [DELETED]

On Wed, 2003-10-22 at 12:03, Ravi wrote:
>     setfacl -m g:MYDOMAIN\\MYDOMAIN:rwx /var/net
>     setfacl -m g:MYDOMAIN\\MYDOMAIN:rwx /var/net/MyShare
> I got confused with above two lines Could you please explain to me what to
> do with "g:MYDOMAIN\\MYDOMAIN:rwx"?
> Do I need to create a Group called MYDOMAIN, for instance RAVIGROUP?

Hi Ravi.

    setfacl -m g:MYDOMAIN\\MYGROUP:rwx /var/net

might be a clearer way to put it. Replace MYGROUP with any existing domain
group you feel should have access to the folder. Replace MYDOMAIN with
your DOMAIN.

If you don't do this, the users won't have permission to get into the share.

From:	 Bruno Veluet <bveluet(a)>
Organization: Leonix Technologies
Date:	 28 Mar 2005 15:24:39 +0200 (CEST)
When I found your Howto about "Linux, Samba, XFS, ACL and Windows Authentication", I was extremly interested in LVM snapshots. So I tested it but some of the bugs you listed was very annoying.

I've worked on your script a little more in order to find some workaround.

I send to you the updated script. HERE

The workaround for "Can we umount/remount if a Samba user is in the share? "busy"? " is:

(Only in the case of a fileserver which is sharing the directories in dev/sysfs/home and no other apps are working on it...)

1. Freeze smbd 
2. Is smbd accessing on a file in write mode ?
	if yes => Unfreeze smbd ; sleep the script ; goto 1.
	else continue
(We suppose that no process are accessing the partition)
3. Take the snapshot with LVM
4. when it's ok : unfreeze smbd 
5. mount the snapshot.
I've had lot of problems with XFS and LVM2 on 2.6(.8, .9, .10) kernels... (ie : xfs_freeze hangs ...) so I choosed ext3.


From:	 Axel Fleischer <x (a)>
Subject: linux samba xfs acl + msoffice
Date:	 23 May 2005
I'm using the same configuration for a medium size office server with
about 60 clients. It mostly works fine since 2003, but a bug occurs:

A short description:

userA creates an msoffice document
userA saves it.
userA closes it.

userB opens this document
userB saves it.
userB closes it.

Result: The document has 'readonly'(4xx) user rights, the document is write protected.
This behaviour is caused by the special MSOffice handling of generating new files during the save procedure.

Do you know about this? Any experiences? Any suggestions?
From:	 Clark Mills
Off the top of my head, would the smb.conf command:

    force create mode = 0660

help here? I'm assuming that ACLs are what matter at the end of the day and
that unix permissions don't matter except when they get in the way.
From:	 Axel Fleischer


This is experimental so use at your own risk, let me know if you have any problems though so I
can update my docs.


Possible future additions

The wifes web page: Megan Mills

Document History
Thu Oct 16 15:37:44 NZDT 2003 c.mills Created
Fri Oct 17 09:26:25 NZDT 2003 c.mills Added Snapshot script
Mon Oct 20 12:51:38 NZDT 2003 c.mills Windows Explorer view and Bugs
Mon Oct 20 16:01:25 NZDT 2003 c.mills Try explain why an LVM snapshot is better than rsync.
Mon Oct 20 21:05:09 NZDT 2003 c.mills Note f/s' other than XFS are snapshotable
Thu Oct 23 10:48:06 NZDT 2003 c.mills NT group clarification for Ravi
Wed Mar 30 10:34:09 NZST 2005 c.mills Added Bruno Veluet, Leonix Technologies script
Mon May 23 21:51:20 NZST 2005 c.mills Added Axel Fleischer, possible work around for file mode problem
Wed Jun  7 15:19:56 NZST 2006 c.mills Pedantic way of joining domain added
Clark Mills